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The invention relates to a secure method of exchanging information messages sent 
successively, at given time intervals, from a transmitting platform to a receiving platform. 
More particularly, the invention concerns a method of ensuring that the last message 
received by the receiving platform corresponds to the last message sent by the 
5 transmitting platform. 

The method according to the invention finds particular application in systems for the 
operation and/or supervision of trains, called SACEM (Systeme d'Aide a la Conduite, a 
1' Exploitation et a la Maintenance, or Driving, Operation and Maintenance Assistance 
System) comprising a centralized system control center, fixed installations along the 

10 tracks and control equipment in each train. In such driving systems, the centralized 
system control center transmits, at regular intervals of time, messages of information to 
the fixed installations, said messages comprising information related to the traffic 
conditions on one or more block sections located downstream from the fixed installation. 
The control equipment of any train located on the network then receives from the fixed 

15 installations the last message of information received by the fixed installation and 
deduces therefrom the operating speed to adopt. During the exchange of such messages 
of information it is essential, for reasons of safety, to be certain that the last message 
received by the fixed installations clearly corresponds to the last information message 
sent by the centralized system control center. However, because of the various 

20 components involved in transmitting messages and the relatively long distance that could 
exist between the centralized system control center and the fixed installations, some 
messages could be disrupted and delayed in their transmission and arrive late at the fixed 
installations, resulting in a change of the order of receipt of the information messages by 
the fixed installation compared to the order of transmission by the centralized system 

25 control center. In such a case the information updated at the fixed installation no longer 
corresponds to the last message actually sent by the centralized system control center. 
Although such phenomena are rare, they absolutely must be detected in order to ensure 
the safety of traffic. 
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Customarily, it is known that, in order to make the transmission of information messages 
secure, bidirectional and continuous exchanges of data are performed so that the 
information message received by the fixed installation is retransmitted to the centralized 
5 system control center which ensures its correspondence with the information message 
sent. However, such methods using bidirectional exchanges of data implement complex 
processing methods requiring expensive devices at the arrival and departure. 

The purpose of the present invention is therefore to propose a secure method of 
exchanging information messages that makes it possible to ensure, during successive 
10 unidirectional exchanges of information messages between a transmitting platform and a 
receiving platform, that the last message received by the receiving platform clearly 
corresponds to the last message sent by the transmitting platform in order to be able to 
validate the correct updating of the information message at the receiving platform. 

To that end, an object of the invention is a secure method of exchanging information 
15 messages sent successively from a transmitting platform to a receiving platform, 
characterized in that it comprises: 

a) an initialization sequence in which at least one initialization message containing 
information relative to the sending date ti of the first information message Mi is 
exchanged between the transmitting platform and the receiving platform so that 

20 both the transmitting and receiving platforms know the sending date ti of the first 

information message Mi. 

b) a transmission sequence of information messages in which: 

- the information messages are sent successively by the transmitting platform at 
time intervals AT E given with a transmission time tolerance of 8 (8 < AT E ), basing 
25 it on a clock pertaining to the transmitting platform, so that the first message Mi is 

transmitted on the date ti of the clock and the n* message Mn is sent on the date t n 
= ti + (n-1) * AT E + 8, each message M n being coded with at least one dynamic 
code C n pertaining to the sending date t„ of the message. Advantageously, the data 
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of the information messages are coded by a coding defined in accordance with the 
security criteria of the application, in order to make the information messages 
incomprehensible in the event of malfunction of the transmission. This coding, for 
example, is the SACEM coding. 

5 - the messages received by the receiving platform are processed according to 

their reception date t r , based on a clock pertaining to the receiving platform so that 
the messages received within an observation window F n in the vicinity of t n are 
decoded with a decoding sequence DC n adapted for decoding the dynamic code 
C n , the clock of the receiving platform being set at date ti upon receipt of the first 
10 message Mi. 

According to particular embodiments, the method according to the invention can include 
one or more of the following characteristics taken individually or in any technically 
possible combination thereof: 

- during the initialization sequence a), a coded initialization message Mo is sent from 
1 5 the transmitting platform to the receiving platform, and a coded initialization message 

M' 0 is sent from the receiving platform to the transmitting platform, said initialization 
messages Mo, M'o containing the information related to the sending date tiof the first 
information message Mi, said initialization messages M 0 , M'o being decoded by the 
transmitting and receiving platforms which then know the sending date ti of the first 
20 information message M i ; 

- in the event the first message Mi is not received in the allowed time after the receipt 
of the initialization message, the clock of the transmitting platform is automatically 
set to the date ti at the moment corresponding to the end of the allowed time; 

- the observation window F n corresponds to a window of time [ti + (n - 1)*ATe- ATf*e, 
25 ti + (n-1) *AT E + AT F * (1 - s)], where n is a whole number and AT F corresponds to the 

width of the observation window and has the relationship AT F < ATE, and where s 
falls between 0 and 1 ; 
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- a clock synchronization signal is transmitted regularly by the transmitting platform 
between the transmission of messages M n , said synchronization signal being used to 
dynamically correct the frequency or phase of the internal clock of the receiving 

5 platform in order to reduce the phase or frequency deviation between the internal 

clocks of the receiving and transmitting platforms; 

- the information messages decoded by the receiving platform are transmitted to a 
module for processing the information; 

- the messages received by the receiving platform during an observation window F n are 
10 stored sequentially in a memory that can store only one message at a time and in 

which only the message stored in this memory at the end of the observation window 
F n is transmitted to the information processing module; 

- the transmitting platform pertains to a centralized system control center of a 
supervision and management system for railroad traffic and the receiving platform 

15 pertains to a fixed installation located beside the railroad track and in which the 
information processing module is composed of control equipment placed on board a 
train traveling on a block section associated with the fixed installation. 

The purposes, aspects and advantages of the present invention will be better understood 
from the following description of a particular embodiment, provided by way of non- 
20 limiting example, with reference to the appended drawings in which: 

- figure 1 is a partial diagrammatical representation of a train supervision installation 
equipped with a secure method of exchanging information messages according to the 
invention; 

- figure 2 is a flowchart representing the principal steps of the transmission method 
25 implemented by the transmitting platform in accordance with the secure exchange 

method according to the invention; 
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- figure 3 is a flowchart representing the principal steps of the processing method 
implemented by the receiving platform in accordance with the secure exchange 
method according to the invention. 

- figure 4 illustrates on a time scale the transmission of initialization messages from a 
5 transmitting platform and the receiving of messages on a receiving platform and their 

processing in accordance with the secure exchange method according to the 
invention. 

To facilitate the reading of the drawing, only those items necessary for the 
comprehension of the invention have been shown. The same items have been given the 
10 same reference numbers from one figure to another. 

Figure 1 diagrammatically represents a centralized system control center 1 
communicating information messages to fixed installations 2 placed beside a railroad 
block section, said messages comprising information relating to the traffic conditions on 
one or more block sections located downstream from the fixed installation 2. These 
1 5 messages are then sent in a known manner by a track circuit from the fixed installations 2 
to a train 5, the train 5 including control equipment 6 using these information messages to 
determine how to proceed, such as the speed to adopt or the need to trigger an emergency 
stop. 

To carry out the transmission of the information messages, the centralized system control 
20 center 1 comprises a transmitting platform 10 connected by transmission cables 4 to a 
receiving platform 20 located in the fixed installation 2. Each transmitting platform 10 
and receiving platform 20 includes an internal clock. 

The transmission sequence of information messages by the transmitting platform 1 0 in 
the secure exchange method according to the invention will now be described with 
25 reference to figure 2. 

According to this figure, in a first step 101 of the secure exchange method, an 
initialization sequence is carried out in which a coded initialization message Mo is 
transmitted from the transmitting platform 10 to the receiving platform 20. Said message 
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Mo contains part of the information of the initial date of the first information message, 
generated by the transmitting platform, for example a random number. In a second step 
102, the transmitting platform receives the message M' 0 which is transmitted by the 
receiving platform. Said message M' 0 contains part of the information of the initial date 
5 of the first information message, generated by the receiving platform, for example a 
random number. Said messages Mo, M'o are decoded in a step 103 by the transmitting 
platform 10 in order to generate the initial date of the first message. It is possible that a 
default part may complete this initial date. 

The transmission security of the initialization sequence is customarily provided by a 
1 0 bidirectional exchange to ensure the proper correlation between the message received and 
the message sent. 

The previously described initialization sequence is followed by a step 104 of the method 
in which no message is sent by the transmitting platform 10 until the time t e of the 
internal clock of the transmitting platform 10 reaches the date ti prescribed for sending 
15 the first message Mi. At the date ti, the transmitting platform 10 sends the first message 
Mi, messages then being sent at a constant interval of time ATe so that the n* message 
M n is sent at the date t n = ti + (n - 1) * AT E + 5, n being a whole number, 5 being the 
transmission time tolerance (8 < AT E ). 

According to one characteristic of the invention, each message M n sent is coded with a 
20 dynamic code C n appropriate for the sending date t n of the message. This dynamic code 
C n is of the type selected from among the known dynamic codes that have coding 
properties such that the decoding of the message M n with a decoding sequence other than 
the DC n decoding sequence provided for decoding the code C n results in obtaining an 
incomprehensible message due to the coding defined at the application. By way of 
25 example, the selected coding is an overlay of a pseudo-random sequence based on a 
primitive polynomial X 32 + X 22 + X 2 + X + 1 applied to each of the data bits. 

The processing carried out in parallel by the receiving platform 20, during the sequence 
of transmission of the information messages by the transmitting platform 10, will now be 
described with reference to figure 3. 
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As shown in figure 3, in a first step 201 of the method the receiving platform 20 receives 
the message Mo contained in the initialization sequence transmitted by the transmitting 
platform during the step 101. In a second step 202, the receiving platform 20 transmits 
the message M' 0 which is received by the transmitting platform during the step 102. In a 
5 step 203, these messages M 0 , M' 0 are decoded by the receiving platform 20 in order to 
obtain the initial date ti of the first message Mi, as in the step 103 for the transmitting 
platform. 

In a subsequent step 204 of the method, which step is triggered when the receiving 
platform 20 receives the first message Mi, the internal clock of the receiving platform 20 
1 0 is set to the date tj so that t r = ti at the moment of receipt of this first message Mi , where t r 
is the time on the internal clock of the receiving platform 20. The internal clock of the 
receiving platform 20 is also set by default to the date ti if the first message Mi does not 
arrive at the receiving platform 20 within the time allowed after receipt of the 
initialization message Mo. 

15 Preferably, after the receipt of the message ti, the clock of the receiving platform 20 is 
regularly synchronized to the clock of the transmitting platform 10 from clock 
synchronization frames regularly transmitted by the transmitting platform 10 in the same 
cycle as the messages M n . These frames are either specific or are themselves composed 
of messages M n . Thus, when a synchronization deviation (phase, frequency, average, 

20 least squares, etc.) is measured between the internal clock of the transmitting platform 10 
and the internal clock of the receiving platform 20, a correction of the frequency or phase 
of the internal clock of the receiving platform 10 is performed dynamically so as to 
reduce the phase or frequency deviation between the two clocks. 

During the next step 205 of the method, the first received message Mi is decoded by 
25 means of a decoding sequence DCi adapted for decoding the dynamic code Ci and the 
result of the decoded message Mi is transmitted by the receiving platform 20 to the track 
circuit. 
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The next step 206 of the method is triggered iteratively when the receiving platform 20 
receives a new message M?, in principle the message M n , at a moment t r that falls within 
the time observation window F n , [which] corresponds to a window of time [ti + ( n - 1) * 
5 AT E - AT F * s, ti + (n - 1) * AT E + AT F * (1 - e)], where AT F is the width of the observation 
window, n is a whole number and e falls between 0 and 1 . 

During the next step 207 of the method, the message M? received within an observation 
window F n of the transmitting platform 20 [sic] is decoded by means of a decoding 
sequence DC n assigned to this observation window F n and corresponding to the inverse 
10 coding sequence DC„ adapted for decoding only the dynamic code C„ of the n th message 
transmitted by the transmitting platform 1 0. 

In one preferred embodiment of the invention, the message M? decoded by the receiving 
platform 20, in a step not shown in figure 3 is then stored temporarily in a memory 
having a capacity permitting the storage of only one message at a time, before being sent 
15 to the track circuit at the moment t r corresponding with the end of the observation 
window F n . In a simplified variation, the message M? can also be transmitted to the track 
circuit as soon as the end of step 207 is reached, without being stored in a memory. 

When the train 5 is on the block section, it receives by means of the track circuit the 
messages decoded by the receiving platform 20, with the assurance that the messages M? 

20 received, which have become comprehensible as the result of the decoding defined at the 
application, are correctly updated messages M n whose information should be taken into 
account. Moreover, to ensure the security of train traffic on the track, it is provided that 
the control equipment 6 on board the train 5 trigger an emergency stop when the train 5 
successively receives a plurality of incomprehensible messages, for example five 

25 messages in a row, so that the train is stopped when there is no longer enough 
information about the traffic conditions on the block section downstream. 
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Figure 4 illustrates, by way of example, an exchange sequence of information message 
according to the method of the invention. In this figure, the transmission of messages Mi 
to M 6 is represented on the upper axis t e , this axis corresponding to the elapsed time on 
5 the internal clock of the transmitting platform 10, and the receipt of messages is 
represented on the axis t r corresponding to the elapsed time on the clock of the receiving 
platform 20. For the example described in figure 4, the initialization sequence, not shown 
in the figure, will be considered to be initiated at the moment tg = 4:59 a.m. and the date U 
of sending the first message is ti = 5 a.m. The interval AT E is on the order of a few 
10 milliseconds, e.g., AT E = 50 ms, so that the updating of the information messages is 
regular. In the example shown, the transmission time tolerance 5 is zero and the 
observation windows F n have the characteristics £ = 0.5 and AT F = 25 ms. 

Thus, with reference to figure 4 and particularly to the receipt of messages on the lower 
axis t r representing the elapsed time on the clock of the receiving platform 20, several 
15 moments after the transmission of the message Mi the receiving platform 20 receives the 
first message Mi. The receiving platform 20 then proceeds to set its internal clock so that 
t r = ti at the moment of receipt of the message Mj. The message Mi is then decoded by 
the receiving platform by means of the decoding sequence DCi, then transmitted to the 
track circuit and therefore to any train 5 that may be present on the block section. 

20 Several moments later, the receiving platform 20 receives the message M 2 in the 
observation window F 2 , which is centered on t 2 and has a width AT F . The receiving 
platform 20 then proceeds to decode the message M 2 with the decoding sequence DC 2 . 
This decoded message is stored in a memory of the receiving platform that has a capacity 
allowing only one message at a time to be stored, and is then transmitted to the track 

25 circuit at the moment t r corresponding to the end of the observation window F 2 , or 
t r = t 2 + AT F / 2. The control equipment 6 of the train 5 on the block section then receives 
information about the traffic conditions by the message M 2 . 

During the observation window F 3 , no message is received by the receiving platform 20, 
following disturbances in the transmission of the message M 3 . In this case, the message 
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transmitted by the receiving platform 20 to the track circuit at the moment t r , 
corresponding to the end of the observation window F3, is incomprehensible due to the 
coding of the application, so that the control equipment 6 of the train 5 on the block 
section is notified of this fault in the updating of the information messages. 

5 When the message M 3 has finally been received in the observation window F 4 , said 
message M3 is then decoded with the decoding sequence DC4 assigned to the window F4 
which results in obtaining a decoded message that is incomprehensible thanks to the 
coding of the application which is stored in the memory of the receiving platform 20. 
This incomprehensible message is transmitted to the track circuit at the moment t r 
10 corresponding to the end of the observation window F 4 and the control equipment 6 of 
the train 5 receives this incomprehensible message which it interprets as a new fault in 
the updating of the information messages. The control equipment 6 then counts two 
successive faults in updating the information messages but does not yet cause an 
emergency stop of the train if the permitted tolerance is five successive faults. 

15 During the observation window F 5 , two messages M4 and M 5 are received successively 
by the receiving platform 20. Initially the receiving platform 20 receives the message M 4 
then the message M 5 in the same observation window F 5 . The receiving platform 
proceeds to decode this last message M 5 by the decoding sequence DC 5 , resulting in 
obtaining a decoded message that is again comprehensible due to the coding of the 

20 application, which is stored in the memory of the receiving platform 20 instead of the 
preceding message. This message M 5 is transmitted to the track circuit at the moment t r 
corresponding to the end of the observation window F 5 . The control equipment 6 of the 
train 5 then receives a message, the message M 5 , that is comprehensible thanks to the 
coding of the application, and there thus is assurance that the information contained in 

25 said message is correctly updated information. 

During the observation window F 6 , the receiving platform 20 receives the message M 6 
which is decoded by the decoding sequence DC6, then stored in the memory before being 
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sent to the circuit at the moment t r corresponding to the end of the window F 6 . The 
control equipment 6 of the train 5 then receives a message, the message M 6 , that is 
comprehensible thanks to the coding of the application and there is thus assurance that 
the information contained in this message is updated information. 

5 Thus, such a transmission method for the secure exchange of information messages 
makes it possible, by a regular unidirectional exchange of messages between a 
transmitting platform and a receiving platform, to ensure the proper updating of 
information messages that arrive comprehensibly at the recipient, and does so without the 
use of complex processing means. Such a method has the advantages of being 
10 inexpensive to implement and of allowing the high speed transmission of information, 
unlike customary bidirectional transmission systems in which the information verification 
sequence considerably slows down the transmission of messages and thus their 
recognition. The method according to the invention thus makes it possible to have a high 
refresh rate of messages received by the train. 

15 Obviously, the invention is in no way limited to the embodiment described and 
illustrated, which has been provided solely by way of example. Modifications remain 
possible, particularly from the point of view of the composition of the various elements 
or by substitution of technical equivalents, without going beyond the domain of 
protection of the invention. 
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CLAIMS 

Secure method of exchanging information messages sent successively from a 
transmitting platform (10) to a receiving platform (20), characterized in that it 
comprises: 

a) an initialization sequence in which at least one initialization message containing 
information relative to the sending date ti of the first information message Mi is 
exchanged between the transmitting platform (10) and the receiving platform (20) 
so that both the transmitting (10) and receiving (20) platforms know the sending 
date ti of the first information message Mj. 

b) a transmission sequence of information messages in which: 

- the information messages are sent successively by the transmitting platform 
(10) at time intervals AT E given with a transmission time tolerance of 8, basing it 
on a clock pertaining to the transmitting platform (10), so that the first message 
Mi is transmitted on the date ti of the clock and the n th message M n is sent on the 
date t n = ti + (n-1) * AT E + 5, each message M n being coded with at least one 
dynamic code C n pertaining to the sending date t n of the message. 

- the messages received by the receiving platform (20) are processed according to 
their reception date t r , based on a clock pertaining to the receiving platform (20) 
so that the messages received within an observation window F n in the vicinity of 
t n are decoded with a decoding sequence DC n adapted for decoding the dynamic 
code C n , the clock of the receiving platform (20) being set at date ti upon receipt 
of the first message Mi. 

Secure method of exchanging information messages as claimed in claim 1, 
characterized in that during the initialization sequence a), a coded initialization 
message M 0 is sent from the transmitting platform (10) to the receiving platform (20), 
and a coded initialization message M' 0 is sent from the receiving platform (20) to the 
transmitting platform 
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(10), said initialization messages M 0 , M'o containing the information related to the 
sending date tjof the first information message Mi, said initialization messages M 0 , 
M'o being decoded by the transmitting (10) and receiving (20) platforms which then 
know the sending date ti of the first information message Mi. 

5 3) Secure method of exchanging information messages as claimed in either of claims 1 
or 2, characterized in that in the event the first message Mi is not received in the 
allowed time after the receipt of the initialization message, the clock of the 
transmitting platform (20) [sic] is automatically set to the date ti at the moment 
corresponding to the end of the allowed time 

10 4) Secure method of exchanging information messages as claimed in any one of claims 
1 to 3, characterized in that the observation window F„ corresponds to a window of 
time [ti + (n - 1) * AT E - AT F * s, t, + (n-1) ,AT E + AT F *(1 - e)], where AT F 
corresponds to the width of the observation window and has the relationship AT F < 
ATE, and where s falls between 0 and 1. 

15 5) Secure method of exchanging information messages as claimed in any one of claims 
1 to 4, characterized in that a clock synchronization signal is transmitted regularly by 
the transmitting platform (10) between the transmission of messages M n , said 
synchronization signal being used to dynamically correct the frequency or phase of 
the internal clock of the receiving platform (20) in order to reduce the phase or 

20 frequency deviation between the internal clocks of the receiving (20) and transmitting 

(10) platforms. 

6) Secure method of exchanging information messages as claimed in any one of claims 
1 to 5, characterized in that the information messages decoded by the receiving 
platform (20) are transmitted to a module for processing the information (6). 

25 7) Secure method of exchanging information messages as claimed in any one of claims 
1 to 6, characterized in that the messages received by the receiving platform (20) 
during an observation window F n are stored 
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sequentially in a memory that can store only one message at a time and in which only 
the message stored in this memory at the end of the observation window F n is 
transmitted to the information processing module (6). 

8) Secure method of exchanging information messages as claimed in any one of claims 
5 1 to 7, characterized in that the transmitting platform (10) pertains to a centralized 

system control center (1) of a supervision and management system for railroad traffic 
and the receiving platform (20) pertains to a fixed installation (2) located beside the 
railroad track and in which the information processing module (6) is composed of 
control equipment (5) placed on board a train traveling on a block section associated 
1 0 with the fixed installation (2). 
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